We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

Identity theft by domain name

In a recent decision dated March 2 2017, the Paris Court of First Instance ordered the transfer of a domain name consisting of the name of a person whose identity had been misused, most likely fraudulently.(1)

Facts

The claimant, referred to by the court as Mme X for privacy reasons, lived in France and worked as a communications manager.

The defendant, Mme Y, lived in France and, according to WHOIS records, was listed as the registrant of a domain name that was identical to the first and last name of Mme X under the country code top-level domain for France, '.fr'.

The claimant was alerted to the fact that the domain name had been registered in the defendant's name on November 3 2016. The domain name was for a website that sold shoes and accessories online.

On November 21 2016 the claimant sent a cease-and-desist letter to the defendant requesting transfer of the domain name to the claimant.

The defendant replied that she could not have registered the domain name and that her identity had also been misused, given the fact that the geolocation of the relevant IP address linked the domain name to Istanbul and the wrong telephone number and email details had been provided. The defendant also provided evidence that she had filed a complaint with the French police authorities and asserted that she would take the necessary steps to transfer the domain name to the claimant.

However, despite several follow-ups, the defendant failed to request that the French Domain Name Registry transfer the domain name. Therefore, on December 16 2016 the claimant filed a fixed date summons for the domain name to be transferred and the corresponding website disabled. The summons was served on the defendant on December 20 2016 and the domain name was deleted on January 3 2017.

Decision

The court noted that, under Article L 45-2, 2° of the Post and Electronic Communications Code, the registration or renewal of a domain name may be refused or the domain name may be cancelled if it likely infringes IP or personality rights, unless the domain name holder has a legitimate interest in the domain name and is acting in good faith.

The court considered that surnames are attributes of personality, noting that the domain name was constituted by the claimant's first and last name. The court found that the claimant's application was admissible, regardless of the fact that the defendant's identity had also been misused, since only the defendant was entitled to ask for the deletion or transfer of the domain name.

The court underlined that, although the claimant was neither a famous personality nor particularly well known, she was a communications manager and therefore had a relatively significant presence on the Internet, notably on professional social networks. The court also stated that the website in question was likely fraudulent, as it did not comply with the e-commerce regulations due to the absence of any general terms and conditions of sale or legal notices or contact details. It further ruled that there was a risk that the claimant would be held responsible or associated with the commercial activities conducted on the website because the domain name exactly matched the claimant's first and last name, the latter of which was not particularly common.

Comment

This decision highlights the fact that, under French law, a court can order the transfer of a domain name registered or used fraudulently (in this case, because it contained the name of a person whose identity had been misused and because it was resolving to a fraudulent website). While companies used to be the principal victims of cyber fraud with regard to their trademarks and names, the identity of an individual can also be affected, especially when that person is of a certain notoriety.

This decision further illustrates that French court proceedings against a domain name holder can sometimes be a useful tool to tackle identity theft, contrary to alternative dispute resolution mechanisms (eg, the Uniform Domain Name Dispute Resolution Policy (UDRP)), which often do not allow for the protection of personal names per se – for example, under the UDRP, individuals can successfully recuperate their personal name only if they can prove that they possess either registered or unregistered trademark rights in the name.